The EU Cyber Security Strategy, launched in Brussels today, is an assessment more than a forward looking strategy. The assessment of a variety of crimes involving internet fails to address questions of a strategic nature, and lacks a vision in the global context of defence and digital freedoms.

Difficult questions

“Vagueness leaves room for undesired consequences” says Marietje Schaake, Dutch Member of European Parliament (ALDE/D66), and Rapporteur for the recently adopted first Digital Freedom Strategy in EU foreign policy. “I welcome the Commission’s initiative as a first step in starting a debate, but we can not lose time in addressing the most difficult questions. The EU needs clear common security and defence standards, including a vision on whether or not to develop offensive capacities, on liabilities and on chains of command ensuring democratic oversight and preventing the privatization of defence capabilities. Increasingly private actors are responsible for critical infrastructures and services online, but the state has ultimate responsibilities of ensuring freedom and security.

Offensive capabilities

“While network and information security are important parts of the security chain, we already have some good policies in place for that”, Schaake says. The draft NIS Directive that lies at the heart of the EU Cyber Security Strategy requires Member States to cooperate and coordinate risk assessments and to develop joint responses. “Setting up a phone tree will not be enough for Europe. It is no longer about keeping viruses out the door; we also have to decide on whether we seek EU offensive capability, and how to incorporate battlefield principles in cyber security. Reporting of breaches and vulnerabilities is important but does not put us ahead of the curve”, the MEP says.

Defence

This week details of a confidential legal review of the use of cyber weapons by the United States leaked, revealing President Obama has broad powers to order pre-emptive strikes in case of credible evidence of major digital attacks looming from abroad. At the same time attribution and proportionality in responses to cyber attacks are complicated. Schaake: “More and more hints and revelations of offensive actions raise concerns of a cyber arms race. I reject the notion that cyber security mainly belongs in military headquarters, but I do believe that the EU should develop a carefully defined cyber defence doctrine. The EU strategy mentions the solidarity clause included in the European Treaties and announces NATO cooperation but falls short of giving any further clarity and guidance. Building integrated resilience of society should be one of our priorities. This in turn asks for a translation of the rule of law to apply in a global digitally connected environment.”

Public interests

Schaake also stresses the need for guidelines for shared public-private defence responsibilities and issues like the exploitation of zero-day vulnerabilities. “We need to ensure digital freedoms and cyber security do not become a zero-sum game. The interest of governments and companies do not always overlap. Companies are accountable to their shareholders, and seek to make profit. This can be in sharp contrast with the public interest which governments need to safeguard.”

Schaake regrets that while the Commissioners set out the objective to promote and protect digital freedoms, no new concrete actions are announced, “my report included over 70 concrete recommendations of which some could have been easily included.”